On-Chain Forensics 101: A Technical Walkthrough for Tracking Stolen Assets Across Multiple Blockchains

The ability to trace stolen funds across multiple blockchains has evolved from a niche skill practiced by a handful of blockchain analysts to an essential competency for anyone serious about understanding cryptocurrency security. The IoTeX ioTube bridge exploit on February 21, 2026 — where an attacker drained $4.4 million in assets and laundered them through Uniswap and THORChain before consolidating the proceeds in Bitcoin wallets — provides a textbook case study in cross-chain fund movement. With Bitcoin at $68,000 and Ethereum near $1,974, the economic incentives for attackers to target cross-chain infrastructure have never been higher. This tutorial walks through the technical process of tracking stolen assets as they move between blockchains, using publicly available tools and techniques that any technically proficient user can replicate.

The Objective

This tutorial aims to equip you with the skills necessary to trace cryptocurrency transactions across multiple blockchains using block explorers, on-chain analysis tools, and cross-chain tracking techniques. By the end, you will understand how to follow stolen funds from the initial exploit through decentralized exchange swaps and cross-chain bridge transfers to their final destination. We will use the IoTeX ioTube exploit as our primary case study, examining the specific addresses, transactions, and techniques involved in the $4.4 million heist and subsequent laundering process.

The skills covered here are valuable not only for security researchers and investigators but for any crypto user who wants to understand how funds move across chains and how to evaluate the security of cross-chain infrastructure. Understanding the attacker’s playbook makes you better equipped to protect your own assets and to evaluate the risks of the bridges and protocols you use.

Prerequisites

Before beginning, you should have a solid understanding of blockchain fundamentals: how transactions work, what addresses are, and how to read basic transaction data on a block explorer like Etherscan. Familiarity with Ethereum, Bitcoin, and at least one additional blockchain network is helpful. You will need access to a web browser and the following free tools: Etherscan for Ethereum transactions, Mempool.space or Blockchain.com Explorer for Bitcoin transactions, and Etherscan’s token tracker for ERC-20 token movements.

Understanding the basics of decentralized exchanges — particularly how Uniswap’s automated market maker model works — will help you follow the swap transactions that attackers use to convert stolen tokens into more liquid assets. Knowledge of how cross-chain bridges operate, specifically the lock-and-mint mechanism, will provide context for understanding how funds move between networks.

Finally, a basic understanding of THORChain’s architecture is useful. THORChain is a decentralized cross-chain liquidity protocol that enables swaps between assets on different blockchains without requiring centralized intermediaries. Its permissionless nature makes it a popular tool for laundering stolen funds, as there is no central entity that can freeze transactions or reverse swaps.

Step-by-Step Walkthrough

Step 1: Identify the Initial Exploit Transactions

The investigation begins at the point of exploitation. In the IoTeX case, the attacker gained control of the validator owner key for the ioTube bridge on Ethereum. Using Etherscan, you can locate the ioTube bridge contracts — specifically the MintPool contract at the address responsible for creating wrapped tokens and the TokenSafe contract that holds locked assets. The first suspicious transactions appear as large withdrawals from the TokenSafe contract, transferring USDC, USDT, WBTC, WETH, IOTX, PAXG, DAI, BUSD, and UNI to an attacker-controlled address.

Simultaneously, you will observe mint transactions in the MintPool contract. The attacker minted approximately 821 million CIOTX tokens and 9.3 million CCS tokens — unbacked wrapped tokens created using the stolen administrative authority. On Etherscan, these mint transactions are identifiable by the Mint function call in the transaction input data. Each mint transaction increases the total supply of the wrapped token without a corresponding deposit of original tokens on the IoTeX chain.

Step 2: Follow the Consolidation Phase

After the initial theft, attackers typically consolidate stolen assets into a smaller number of wallets to prepare for laundering. In the IoTeX case, the stolen tokens were moved from the initial attacker address through several intermediate addresses. You can trace these movements by clicking through the destination addresses on Etherscan, following each transfer until you reach the addresses that interact with Uniswap.

Pay attention to the gas funding pattern. Attackers need ETH to pay for transaction fees, and the source of this gas funding can provide valuable intelligence. In many cases, the gas funding wallet has been active in previous exploits — as was observed with the IoTeX attacker, whose funding wallet was linked to the $49 million Infini stablecoin platform exploit from February 2025.

Step 3: Trace Through Decentralized Exchange Swaps

The next stage involves converting diverse stolen tokens into a single, liquid asset — typically ETH. The attacker in the IoTeX case used Uniswap to swap stolen USDC, USDT, WBTC, IOTX, DAI, and other tokens into ETH. On Etherscan, these swaps appear as interactions with Uniswap router or pool contracts. The transaction input data will show the exact swap parameters: the input token, the output token, the amount, and the minimum output amount.

By examining the swap transactions, you can determine how much ETH the attacker accumulated. Track the ETH flowing out of the Uniswap contracts back to the attacker’s addresses. This gives you the total ETH balance that the attacker will subsequently bridge to another network.

Step 4: Track the Cross-Chain Bridge Transfer

This is where the investigation becomes technically challenging. The IoTeX attacker used THORChain to bridge their ETH to BTC. THORChain operates as a cross-chain liquidity protocol, and tracking swaps through it requires monitoring both the source chain (Ethereum) and the destination chain (Bitcoin).

On the Ethereum side, look for transactions from the attacker’s addresses to THORChain vault addresses. THORChain publishes its active vault addresses, and you can identify inbound swap transactions by examining the memo data attached to each transaction. The memo specifies the destination chain, the destination address, and the slippage tolerance for the swap.

Once you have identified the THORChain inbound transaction and the destination Bitcoin address specified in the memo, switch to a Bitcoin block explorer. Search for the destination address to confirm the inbound BTC transaction. In the IoTeX case, investigators identified four Bitcoin wallets holding approximately 66.6 BTC total — worth roughly $4.3 million at the time.

Step 5: Document and Correlate

The final step is to compile your findings into a coherent timeline that maps the flow of funds from the initial exploit to the final destination. Document each address, transaction hash, token amount, and timestamp. Cross-reference your findings with reports from on-chain analysis firms like PeckShield, Specter, and Beosin, which often provide additional context such as links to previous exploits or known attacker infrastructure.

In the IoTeX investigation, this correlation process revealed that the attacker’s funding wallet was connected to the earlier Infini exploit, suggesting either the same attacker or a shared operational infrastructure. This type of intelligence linkage is valuable for the broader security community and can help prevent future incidents by identifying threat actors before they strike again.

Troubleshooting

The most common challenge in cross-chain tracing is losing the trail at the bridge transfer point. If you cannot find the corresponding inbound transaction on the destination chain, verify that you have the correct destination address — THORChain sometimes routes swaps through intermediate vault addresses. Check the THORChain block explorer at thoryield.com or runestore.info for additional swap details that may not be visible on standard chain explorers.

Another frequent issue is dealing with token decimals. When tracing large token amounts, ensure you account for the correct number of decimal places. USDC uses 6 decimals, while most ERC-20 tokens use 18. A raw token amount of 1000000000 USDC equals 1,000 USDC, while the same raw amount for an 18-decimal token equals a tiny fraction of a token. Mixing up decimal places can lead to wildly inaccurate loss estimates.

Transaction timing discrepancies between chains can also complicate investigations. Ethereum blocks are produced approximately every 12 seconds, while Bitcoin blocks average 10 minutes. A swap initiated on Ethereum may not appear as received Bitcoin for 30 to 60 minutes, depending on network conditions and THORChain’s processing time. Be patient and check multiple confirmation levels on the destination chain.

Mastering the Skill

To develop proficiency in on-chain forensics, practice with historical exploits that have been thoroughly documented by the security community. The Rekt leaderboard provides detailed breakdowns of major DeFi exploits with relevant transaction hashes and analysis. Start with well-documented cases and work your way up to more complex multi-chain traces.

Consider learning to use automated on-chain analysis tools such as Nansen, Arkham Intelligence, or Dune Analytics. These platforms provide pre-built dashboards and query capabilities that can dramatically accelerate the tracing process. While they require paid subscriptions for full access, the free tiers often provide sufficient functionality for educational purposes.

Engage with the blockchain security community on platforms where on-chain analysts share real-time threat intelligence. Following analysts like PeckShield, Specter, and ZachXBT provides ongoing exposure to current investigation techniques and emerging attack patterns. The skills required for effective on-chain forensics are constantly evolving as attackers develop new laundering techniques, and staying current with the latest threat intelligence is essential for maintaining your investigative capabilities.

Finally, remember that on-chain forensics serves a purpose beyond investigation. The skills you develop will make you a more informed and security-conscious crypto user, better equipped to evaluate the risks of the protocols you interact with and to protect your own assets in an increasingly complex multi-chain landscape.

Disclaimer: This article is for informational and educational purposes only and does not constitute financial, legal, or investment advice. Always conduct your own research before making any financial decisions.